summaryrefslogtreecommitdiffstats
path: root/lass/1systems
diff options
context:
space:
mode:
Diffstat (limited to 'lass/1systems')
-rw-r--r--lass/1systems/daedalus/config.nix1
-rw-r--r--lass/1systems/mors/config.nix1
-rw-r--r--lass/1systems/neoprism/config.nix25
-rw-r--r--lass/1systems/neoprism/disk.nix116
-rw-r--r--lass/1systems/neoprism/physical.nix42
-rw-r--r--lass/1systems/prism/config.nix2
-rw-r--r--lass/1systems/yellow/config.nix21
7 files changed, 204 insertions, 4 deletions
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index d6943c110..9ef858e28 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -53,6 +53,7 @@ with import <stockholm/lib>;
services.xserver.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
+ services.tlp.enable = lib.mkForce false;
services.xserver.layout = "de";
}
{
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index dd479f267..6d0d177ec 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -41,6 +41,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ppp/umts-stick.nix>
# <stockholm/lass/2configs/remote-builder/morpheus.nix>
# <stockholm/lass/2configs/remote-builder/prism.nix>
+ <stockholm/lass/2configs/autotether.nix>
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix
new file mode 100644
index 000000000..e4f9d2560
--- /dev/null
+++ b/lass/1systems/neoprism/config.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs/retiolum.nix>
+ <stockholm/lass/2configs/libvirt.nix>
+ { # TODO make new hfos.nix out of this vv
+ users.users.riot = {
+ uid = pkgs.stockholm.lib.genid_uint31 "riot";
+ isNormalUser = true;
+ extraGroups = [ "libvirtd" ];
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+ ];
+ };
+ # krebs.iptables.tables.filter.FORWARD.rules = [
+ # { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
+ # { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
+ # ];
+ }
+ ];
+
+ krebs.build.host = config.krebs.hosts.neoprism;
+}
diff --git a/lass/1systems/neoprism/disk.nix b/lass/1systems/neoprism/disk.nix
new file mode 100644
index 000000000..cf9a8cef4
--- /dev/null
+++ b/lass/1systems/neoprism/disk.nix
@@ -0,0 +1,116 @@
+{ lib, ... }:
+{
+ disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: {
+ type = "disk";
+ device = disk;
+ content = {
+ type = "table";
+ format = "gpt";
+ partitions = [
+ {
+ name = "boot";
+ type = "partition";
+ start = "0";
+ end = "1M";
+ part-type = "primary";
+ flags = ["bios_grub"];
+ }
+ {
+ type = "partition";
+ name = "ESP";
+ start = "1M";
+ end = "1GiB";
+ fs-type = "fat32";
+ bootable = true;
+ content = {
+ type = "mdraid";
+ name = "boot";
+ };
+ }
+ {
+ type = "partition";
+ name = "zfs";
+ start = "1GiB";
+ end = "100%";
+ content = {
+ type = "zfs";
+ pool = "zroot";
+ };
+ }
+ ];
+ };
+ })) // {
+ hdd1 = {
+ type = "disk";
+ device = "/dev/sda";
+ content = {
+ type = "zfs";
+ pool = "tank";
+ };
+ };
+ };
+ mdadm = {
+ boot = {
+ type = "mdadm";
+ level = 1;
+ metadata = "1.0";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ };
+ zpool = {
+ zroot = {
+ type = "zpool";
+ mode = "mirror";
+ mountpoint = "/";
+ rootFsOptions = {
+ };
+ datasets.reserved = {
+ zfs_type = "filesystem";
+ options.refreservation = "1G";
+ };
+ };
+ tank = {
+ type = "zpool";
+ datasets = {
+ reserved = {
+ zfs_type = "filesystem";
+ options.refreservation = "1G";
+ };
+ containers = {
+ zfs_type = "filesystem";
+ mountpoint = "/var/lib/containers";
+ };
+ home = {
+ zfs_type = "filesystem";
+ mountpoint = "/home";
+ };
+ srv = {
+ zfs_type = "filesystem";
+ mountpoint = "/srv";
+ };
+ libvirt = {
+ zfs_type = "filesystem";
+ mountpoint = "/var/lib/libvirt";
+ };
+ # encrypted = {
+ # zfs_type = "filesystem";
+ # options = {
+ # mountpoint = "none";
+ # encryption = "aes-256-gcm";
+ # keyformat = "passphrase";
+ # keylocation = "prompt";
+ # };
+ # };
+
+ # "encrypted/download" = {
+ # zfs_type = "filesystem";
+ # mountpoint = "/var/download";
+ # };
+ };
+ };
+ };
+}
diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix
new file mode 100644
index 000000000..4ffb749f1
--- /dev/null
+++ b/lass/1systems/neoprism/physical.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+ imports = [
+ ./config.nix
+ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ];
+
+ disko.devices = import ./disk.nix;
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.efiSupport = true;
+ boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
+ boot.kernelModules = [ "kvm-amd" ];
+ hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+ # networking config
+ boot.kernelParams = [ "net.ifnames=0" ];
+ networking.bridges."ext-br".interfaces = [ "eth0" ];
+ networking = {
+ hostId = "2283aaae";
+ defaultGateway = "95.217.192.1";
+ defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
+ # Use google's public DNS server
+ nameservers = [ "8.8.8.8" ];
+ interfaces.ext-br.ipv4.addresses = [
+ {
+ address = "95.217.192.59";
+ prefixLength = 26;
+ }
+ ];
+ interfaces.ext-br.ipv6.addresses = [
+ {
+ address = "2a01:4f9:4a:4f1a::1";
+ prefixLength = 64;
+ }
+ ];
+ };
+
+}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 7bffc39aa..594a21c02 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -111,6 +111,8 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/jitsi.nix>
<stockholm/lass/2configs/fysiirc.nix>
<stockholm/lass/2configs/bgt-bot>
+ <stockholm/lass/2configs/mumble-reminder.nix>
+ <stockholm/krebs/2configs/mastodon-proxy.nix>
{
services.tor = {
enable = true;
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 52d7a0f1f..ecf0337ed 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -1,6 +1,6 @@
-with import <stockholm/lib>;
-{ config, lib, pkgs, ... }:
-{
+{ config, lib, pkgs, ... }: let
+ vpnIp = "85.202.81.161";
+in {
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
@@ -11,6 +11,8 @@ with import <stockholm/lib>;
users.groups.download.members = [ "transmission" ];
+ networking.useHostResolvConf = false;
+ networking.useNetworkd = true;
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
services.transmission = {
@@ -167,13 +169,24 @@ with import <stockholm/lib>;
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
];
+ tables.filter.OUTPUT = {
+ policy = "DROP";
+ rules = [
+ { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
+ { predicate = "-o tun0"; target = "ACCEPT"; }
+ { predicate = "-o retiolum"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
+ ];
+ };
};
services.openvpn.servers.nordvpn.config = ''
client
dev tun
proto udp
- remote 194.110.84.106 1194
+ remote ${vpnIp} 1194
resolv-retry infinite
remote-random
nobind
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-25 16:47:49 +0000